cnvd - cnvd-2024-49641

CNVD-2024-49641

Vulnerability from cnvd - Published: 2024-12-25

Title

ClassCMS代码注入漏洞

Description

ClassCMS是中国ClassCMS开源的一款简单、灵活、安全、易于拓展的内容管理系统。 ClassCMS 4.8版本存在代码注入漏洞，攻击者可利用该漏洞导致跨站脚本攻击。

Severity

中

Formal description

目前厂商尚未发布升级补丁以修复漏洞，详情请关注厂商主页： https://github.com/Jack-Black-13/blob/blob/main/classCMS_v4.8_model_xss.md

Reference

https://github.com/Jack-Black-13/blob/blob/main/classCMS_v4.8_model_xss.md https://vuldb.com/?ctiid.287875 https://vuldb.com/?id.287875 https://vuldb.com/?submit.461085

Impacted products

Name
ClassCMS ClassCMS 4.8

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-12503",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-12503"
    }
  },
  "description": "ClassCMS\u662f\u4e2d\u56fdClassCMS\u5f00\u6e90\u7684\u4e00\u6b3e\u7b80\u5355\u3001\u7075\u6d3b\u3001\u5b89\u5168\u3001\u6613\u4e8e\u62d3\u5c55\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\n\nClassCMS 4.8\u7248\u672c\u5b58\u5728\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://github.com/Jack-Black-13/blob/blob/main/classCMS_v4.8_model_xss.md",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-49641",
  "openTime": "2024-12-25",
  "products": {
    "product": "ClassCMS ClassCMS 4.8"
  },
  "referenceLink": "https://github.com/Jack-Black-13/blob/blob/main/classCMS_v4.8_model_xss.md\r\nhttps://vuldb.com/?ctiid.287875\r\nhttps://vuldb.com/?id.287875\r\nhttps://vuldb.com/?submit.461085",
  "serverity": "\u4e2d",
  "submitTime": "2024-12-20",
  "title": "ClassCMS\u4ee3\u7801\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2024-12503 (GCVE-0-2024-12503)

Vulnerability from cvelistv5 – Published: 2024-12-12 00:00 – Updated: 2024-12-12 15:47

Title

ClassCMS Model Management Page admin cross site scripting

Summary

A vulnerability classified as problematic was found in ClassCMS 4.8. Affected by this vulnerability is an unknown functionality of the file /index.php/admin of the component Model Management Page. The manipulation of the argument URL leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

2.4 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

2.4 (Low)


                        
                          CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-79 - Cross Site Scripting
CWE-94 - Code Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.287875	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.287875	signaturepermissions-required
	https://vuldb.com/?submit.461085	third-party-advisory
	https://github.com/Jack-Black-13/blob/blob/main/c…	exploit

Impacted products

	Vendor	Product	Version
	n/a	ClassCMS	Affected: 4.8

Credits

vulbox (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12503",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-12T15:47:24.455345Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-12T15:47:52.404Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Model Management Page"
          ],
          "product": "ClassCMS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "vulbox (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability classified as problematic was found in ClassCMS 4.8. Affected by this vulnerability is an unknown functionality of the file /index.php/admin of the component Model Management Page. The manipulation of the argument URL leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "In ClassCMS 4.8 wurde eine problematische Schwachstelle entdeckt. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /index.php/admin der Komponente Model Management Page. Mittels dem Manipulieren des Arguments URL mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.3,
            "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Cross Site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Code Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-12T00:00:12.835Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-287875 | ClassCMS Model Management Page admin cross site scripting",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.287875"
        },
        {
          "name": "VDB-287875 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.287875"
        },
        {
          "name": "Submit #461085 | ClassCMS V4.8 Basic Cross Site Scripting",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.461085"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Jack-Black-13/blob/blob/main/classCMS_v4.8_model_xss.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-12-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2024-12-11T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2024-12-11T14:13:35.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "ClassCMS Model Management Page admin cross site scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2024-12503",
    "datePublished": "2024-12-12T00:00:12.835Z",
    "dateReserved": "2024-12-11T13:08:25.963Z",
    "dateUpdated": "2024-12-12T15:47:52.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2024-49641

CVE-2024-12503 (GCVE-0-2024-12503)

Tags

Sightings

Nomenclature